The dependency list is missing "Smart phone".<p>Anyone who's spent time in hotels in recent years knows that since switching from mechanical keys to magnetic keys, sometimes the keys break and the guest is locked out of their hotel room, which of course they never discover until trying to open the door. Then they have to go to the front desk, probably stand in line, and request a replacement key.<p>Using smart phones as authentication devices suffers from this exact same problem. I can't speak for iOS but every android phone I've had has experienced slow operation, crashes, and other kinds of issues at inopportune moments. When I am trying to log into something to perform a 5 minute task I don't want to be delayed for 15 minutes while my phone chugs away at whatever.<p>I'm just one geek, but I have spent a lot of time thinking about "alternatives to passwords". I have concluded the password is king. We use passwords everywhere, and we will continue to use passwords everywhere, until someone invents something better. In 100s of years nobody has done that yet (Mechanical keys are a kind of password).<p>Instead of trying to replace passwords which are reliable and simple to use, with complicated authentication systems which are not reliable and not simple, we should focus our efforts on improving password authentication in our existing apps (no more limitations), building great password tools like keepass.info, and encouraging the average user to use password tools and practice good password habits.
In the can-you-really-use-cell-phone-for-trusted-computing department:<p>I have had support agents come to me and say, "This user was convinced to put his phone into developer mode and attach it to a computer running malware controlled by the attacker." Game over.<p>Okay, that is colossally stupid behavior. Unbelievable, to most of the audience here. But users will do the damnedest things, and platforms -- whatever their static security failings -- really need to be resilient against coerced or ill-guided user actions as well.<p>I've worked on platforms that have had very well designed security systems, but they also made very sharp distinctions between what could be done by a developer and a normal user, and for the most part those worlds did not intersect at all.<p>Android's barrier of "tap seven times here and you're a developer" is very low. It's clever, and good for many reasons, but user security isn't one of them.
It looks a bit like Steve Gibson's SQRL (which uses QR code rather than bluetooth), which I think is an excellent idea. I just wish it was sponsored by someone more consensual/followed by the tech community.<p>But the idea of saving a private key on a locked down, app whitelisting, disk encrypted device (like an iphone) and to have a protocole that does not rely on a third party (which currently are mostly google and the social networks, the last people on earth I would want to share which sites I login to) is appealing.
The bluetooth dependency looka painful. But I'm also highly skeptical of the behavioural analysis. I feel like a piece of malware could replay recorded behaviour and attack at 2:30am when the user is probably close enough to trigger an automatic authentication.
This sentence worries me: "any secure computation algorithm that can compare our choice of user behavioral signature without exposing it" because it makes it seem as though there are lots of these just lying around. It seems like this would be very tricky to construct, especially given the inherent fuzziness of a signature/fingerprint based on user behavior. Do zero-knowledge 'proofs of behavior' exist?<p>EDIT: That said, I do think this is a cute idea.
We released a passwordless auth library for iOS about 2 weeks ago. At first glance, it looks much simpler than the process described on this website. We also take advantage of Secure Enclave key storage rather than leave the authenticator somewhere that malware can steal.<p><a href="https://blog.trailofbits.com/2016/06/28/start-using-the-secure-enclave-crypto-api/" rel="nofollow">https://blog.trailofbits.com/2016/06/28/start-using-the-secu...</a><p><a href="https://github.com/tidas" rel="nofollow">https://github.com/tidas</a>
Reminds me of the Biometric Open Standard.<p>Link to draft: official one is behind paywall
<a href="https://www.oasis-open.org/committees/download.php/56664/P2410d11.pdf" rel="nofollow">https://www.oasis-open.org/committees/download.php/56664/P24...</a>